As soon as I arrived in Lima last week, I did what countless travelers do every day: go to the cellphone store to get a SIM card with a local number. But this typically mundane ritual, no more exciting than exchanging your dollars for euros, soon turned unexpected—I hacked a criminal network.

When I was planning my trip, narcotics were the last things on my mind. In the sanguine days before Omicron, Peru felt like a dream, a dose of warmth and sunshine before heading home to the bleak New York winter. But minutes after I left the Movistar store, phone number in hand, I found my new holiday pastime: telling people they had the wrong number. I assumed that it’d be a minor annoyance, a few text messages before people passed the word around. But things got much stranger when I installed WhatsApp.

The problems started with a jarring home screen. Instead of the fresh slate of a new account, I was met with a list of dozens of groups that I apparently was already a member of. Even with my embarrassingly poor Spanish, terms like “Dark Web” stood out, and the sexually suggestive emojis required no translation. Then I started getting messages. And while most of you will never find yourself embroiled in a Peruvian crime ring, your digital life faces the exact same vulnerabilities.

WhatsApp is encrypted, so people felt secure to speak candidly. And they began to speak a lot about drugs, sex work, and other terms I didn’t want to translate. People told me about upcoming deliveries, mentioning places I had never heard of. I was in heaven, sitting beside a rooftop pool overlooking the beaches and cliffs of Miraflores, and having a panic attack.

I started playing out scenes from cheesy mob movies, the naive bystander who’s killed because he saw too much. So I deleted everything. Every message, every group. I even went through mental exercises to blur my own memories, forcing myself to forget. But people continued to reach out. And when I continued to explain they had the wrong person, they were insistent: “Delete the number!”

And that’s how I ended up giving cybersecurity advice to a crime ring. I promised to delete the account, to switch the number, but then I explained how they were already compromised. Like so many WhatsApp accounts, my predecessor’s didn’t have a PIN, the opt-in security feature that can block exactly what I did by accident, taking over another person’s account, and in effect another person’s world. I could get a new number, but without a PIN, whoever next got the number Movistar had loaned me would end up facing the exact same horrors.

As in nearly every country in South America, WhatsApp is Peru’s most popular communications platform. In some countries, the Facebook-owned app is so ubiquitous that it has effectively replaced texting, allowing users to circumvent phone company charges and reliably connect in areas with poor cell coverage. Another draw, of course, is security. But while encryption is indispensable, it’s not enough. End-to-end-encryption means Facebook and anyone who intercepts your messages can’t read the content of what you wrote. But they can know everything else. With WhatsApp, they know who your contacts are, what groups you belong to, and when and to whom you’re sending messages.

While WhatsApp has supported two-factor authentication since 2017, it has never been a default requirement. And no one knows exactly how many of WhatsApp’s 2 billion accounts are unsecured. WhatsApp should make PINs mandatory, or at least the default. But it’s far from alone. Not only do encrypted messenger platforms like Signal have similar vulnerabilities, but many others do too. Even after I deleted WhatApp, I continued to receive a flurry of texts from banks and payment apps, all looking to confirm someone else’s identity.